AD-Group in SP-Group: Workaround for verifying membership

Change log
January 12, 2016
Fixed a bug with using “getByTitle” and not the correct “getByName” in the SP 2010 code example.

This is a workaround for verifying membership in a SharePoint group when the user is added to the group as a member in an AD-group, and not as an individual user.

You find two code examples below. The first one will work in SP 2013 only, but the last will work in both SP 2010 and SP 2013 (not SP 2007).

Disclaimer: I have NOT been able to test this as I don’t have any AD groups to add in my SP 2013 Office 365 test site.

Based on this post by Eric Alexander

How to set up a trigger in DFFS

In DFFS backend – add this code to the Custom JS:

SharePoint 2013:

function spjs_isCurrentUserInGroup(groupIdOrName){
 var endpoint;
 if(typeof groupIdOrName === "string"){
 endpoint = _spPageContextInfo.webAbsoluteUrl+"/_api/web/sitegroups/getbyname('"+groupIdOrName+"')/CanCurrentUserViewMembership" 
 }else{
 endpoint = _spPageContextInfo.webAbsoluteUrl+"/_api/web/sitegroups("+groupIdOrName+")/CanCurrentUserViewMembership" 
 }
 return jQuery.ajax({ 
 "url":endpoint,
 "type":"GET", 
 "contentType":"application/json;odata=verbose",
 "headers":{ 
 "Accept": "application/json;odata=verbose"
 }
 });
}

function checkADGroupMembership(){
 spjs_isCurrentUserInGroup(18).success(
 function(data){
 if(data.d.CanCurrentUserViewMembership){
 setTimeout(function(){
 spjs.dffs.triggerRule(["isInADGroup"]);
 },10);
 }
 }
 );
}

SharePoint 2010:

function spjs_isCurrentUserInGroup(groupIdOrName){
 var cc, gc, g, u;
 cc = new SP.ClientContext.get_current();
 gc = cc.get_web().get_siteGroups();
 if(typeof groupIdOrName === "string"){
 g = gc.getByName(groupIdOrName);
 }else{
 g = gc.getById(groupIdOrName);
 } 
 u = g.get_users();
 cc.load(u);
 cc.executeQueryAsync(
 function(sender, args){
 setTimeout(function(){
 spjs.dffs.triggerRule(["isInADGroup"]);
 },10);
 },
 function(sender, args){
 // No access
 }
 );
}

function checkADGroupMembership(){
 // 18 is the ID of the group
 spjs_isCurrentUserInGroup(18);
}

The number 18 in the function “checkADGroupMembership” is the group id, but you can also use the display name of the group – change it to match your group.

Add a rule to DFFS with the “Rule friendly name”:

isInADGroup

This rule is set up with the trigger “No trigger (must be triggered manually), and with all the actions you want to apply if the rule is triggered.

As this is a “manual trigger rule”,  you must add another rule to trigger this one when the form has loaded. This is necessary because the REST call cannot be used with the trigger “Custom JavaScript functions” directly.

To trigger the REST call / JSOM query, and the following trigger of the DFFS rule if the user is member of the group is done by another DFFS rule triggering on “The form is ready”.

Set this one up with the function name “checkADGroupMembership” in the “Run these functions / trigger these rules” field.

If the logged in user is member of the SharePoint group as a member in an AD-group, the rule “isInADGroup” will be triggered.

I hope this makes sense, and if not – post a comment below or in the forum.

Alexander

6 thoughts on “AD-Group in SP-Group: Workaround for verifying membership”

  1. Hi,
    To do something if the user is NOT in the group, look at the code for:

    cc.executeQueryAsync(...

    The first function is for “success = is in group”, the last function is for “fail = not in group”.

    Hope this helps,
    Alexander

Leave a Reply